Re: Questions/thoughts around outsourcing guest wireless

[Tim Doty <tdoty () MST EDU>]

On 08/07/2012 10:33 AM, Perry, Jeff wrote:
> I'm not aware that it has but I can't claim to follow.  I know that in 2005 the law was expanded and that (unlike the 
> 1994 version) this is where a lot of the fog of war crept in.

As CALEA amounts to a requirement to be able to provide tcpdump for 
traffic to/from a particular IP address* I have never seen what the 
hoopla about CALEA compliance was about. Sure, you can pay a vendor to 
"make you CALEA compliant" but if you can provide a span port to the FBI 
when they come (legally) knocking I really don't see what the issue is.

Law enforcement is concerned with being able to tap communications made 
by persons under investigation. If such an individual happens to be a 
guest at your campus I'm hard pressed to come up with a scenario in 
which a legal request for traffic to/from IP addresses in use by the 
individual would come up during their stay.

As for:

> So as we see it, while we want to make sure that we understand and appropriately address any calea issues/impacts the major 
> reasons we're looking into this again (fairly deeply) is the above.

I would think the only meaningful answer can come from your general 
counsel, suitably informed about complications of your environment.

But consider this: CALEA applies to ISPs. What does your home ISP do 
about CALEA? Do they not allow guests? They have no way of knowing, in 
fact, who may or may not be using your allocated IP address at any given 
time.

The likely scenarios are either a) an employee/student is under 
investigation and law enforcement wants the network traffic as evidence, 
or b) a system has been compromised and law enforcement is investigating 
the hackers.

Other than running things by general counsel I believe you are over 
thinking it.

* CALEA is the requirement to provide an "interface" to allow government 
wiretapping. Originally aimed at telco's the update that is referred to 
applies to Internet traffic (VoIP and "broadband"). Unlike telco 
switches that required interfaces for tapping, Internet traffic usually 
transits a switch that has a span port or similar that can be used to 
provide a tap. Many places already do this to provide for IDS/IPS 
functionality.

The rest of the story is the normal warrant which will specify the 
target of the surveillance. CALEA is just about having the capability to 
respond positively to a legal request for a wiretap. If you can do that 
you are already CALEA compliant, whether or not you need to be.

As an aside, unless you are providing the VoIP you are not subject to 
CALEA for it. This is an old article, but it covers indirectly that 
Skype is responsible for CALEA compliance, not a random ISP who happens 
to be transiting the traffic 
(http://www.voip-news.com/articles/voip-blog/can-skype-keep-its-secrets-52037) 
and the more recent 
(https://ivebeenhacked.wordpress.com/2011/02/18/is-skype-safe/) follows 
the same line.

Tim Doty

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature